cmov: implement a constant-time equality trait

[brxken128]

In #868, the idea of a constant-time equality trait within cmov was discussed.

Rust currently has quite a lot of constant-time equality traits, so I'm unsure if bringing a new one into the field is the best idea.

It's possible that we could add support for it within cmov, but then implement it into a crate such as subtle (likely behind a new feature). This approach means that we don't bring yet another CT-EQ trait into the field, but can still provide constant-time equality comparisons that won't be optimized away by the compiler. Current users of the subtle crate could also enable this with almost no-effort.

I have a working x86 PoC locally - it does not seem out of reach for Aarch64 either.

I'd love to hear any thoughts/ideas surrounding this, as there's a lot applications where this functionality would be beneficial.

[tarcieri]

Something like this possibly?

pub trait CmovEq {
    fn cmoveq(a: &Self, b: &Self, cond_in: Condition, cond_out: &mut Condition);
}

[brxken128]

I think that'd be pretty suitable - it's in-line with the current API, and low-level enough to be applicable to pretty much any application that I can think of.

Also would be quite easy to make use of it externally.

Edit: I'll start a more refined implementation of this once #871 lands

[brxken128]

As a bit of a progress update, I have it working extremely well for x86 (currently impl'd for u8 and u16 but further additions should be simple).

Should we have a cmovne function also? We could always leave it up to the caller if needs be, but implementing it wouldn't be hard at all.

[tarcieri]

Sure, though it would be good to make it a provided method

[brxken128]

I've made quite a lot of progress! I have working implementations for both x86 and Aarch64.

Some of the code is pretty unoptimised currently, but it works - here's the branch.

I'm a little unsure on the provided method, and on the u128 implementation - they seem pretty clunky in comparison. Definitely still have some work to go haha

edit: will need some very thorough testing as I'm not too sure how well eor will work on Aarch64 - the docs

I also took out the :x register modifier and cleaned the macro usage up, although in hindsight it seemed deliberate - I can revert if needed. I have very little clue when it comes to the portable implementation - it works, but there's likely a better way to do it.

[tarcieri]

I think it would probably make more sense if CmovEq::cmovne were provided and CmovEq::cmoveq was the one you implement

[brxken128]

I think it would probably make more sense if CmovEq::cmovne were provided and CmovEq::cmoveq was the one you implement

I agree - will change that. Should I open a PR so we can work on cleaning it up? Some of the implementation is a little sub-par, but I'm not too sure on how to improve it.

[tarcieri]

Sure

[tarcieri]

Added in #873

[brxken128]

As an extension to this, when I find some extra time I'll attempt to add support for this within the subtle crate and open a PR there.

[tarcieri]

@brxken128 yeah, I think subtle might benefit by directly implementing traits like ConditionallySelectable using CMOV (and then impl'ing ConstantTimeEq using ConditionallySelectable), as opposed to trying to use the cmov crate as a dependency, even if it means duplicating some of the logic

[brxken128]

That sounds good to me! Will give it a shot when I get a minute, hopefully won't be too bad.